DEP FileVault on Big Sur

jsim
New Contributor II

I am having issues when I activated FileVault as default - it picks my first hidden administrator account as the first user. My users are unable to activate FileVault as the hidden admin has not sent the key back to Jamf.

Do you guys face the same as well? What are the workarounds you have been using?

 

TIA! 🙂

4 REPLIES 4

Tribruin
Valued Contributor II

A few questions that would help give more accurate information:

1) How are you enrolling your computers? (ADE or User Initiated)

2) How are you creating your "hidden" admin and the local user

3) is your admin user logging in before the local user?

4) What version of macOS are you running?

It sounds like your hidden admin is getting a Secure Token first instead of your local user.  Typically the first user to log in to the computer, which is usually the user created during setup, is granted a SecureToken. But that is not always the case. But, a SecureToken user can grant another user a SecureToken as well. 

easyedc
Valued Contributor II

One other consideration is are you creating first users as admin or standard level. If you're using ADE to build/enroll your Macs, secure token would be given to an Admin level account, but not standard level.  In the past, we've done both ways (our users were generally standard) - 

  1. Boot
  2. ADE workflow
  3. Create admin level local user
  4. enable FV2
  5. downgrade user to standard

OR flip it

  1. Boot
  2. ADE workflow
  3. Create standard level local user
  4. upgrade to admin
  5. enable FV2
  6. downgrade user to standard

The choice to leave them as standard was made in the event a user accidentally wiped/re-provisioned themselves.  Apple's not got a great way to do this through ADE still. Give them feedback. 

easyedc
Valued Contributor II

And I just realized - it's been quite a while since I looked at this.  The standard may still get the token, but can't enable FV. That could have been our issue. 

jsim
New Contributor II

Hi everyone, thanks for the input. I realize i have not given enough context.

So here is it.

1) New DEP Setup on macOS Big Sur
(This only happens to new machine, the older machines that were upgrading from Catalina does not have this issue as Jamf already has a copy of FV2)

2) Enroll via DEP -> Jamf  

3) Administrative accounts are created via Profiles and this will happen during the enrollment page where users create their account. Which in this sense, my Administrative is the first account created then User account.

 

@Tribruin You are right, my administrative account is issued a secure token that and we do not log in to that account unless needed. However with Big Sur when the first account token is not missing, i am unable to process FV2 on the Users account.